S/N: 09/855,808 

Reply to Office Action of May 5, 2005 



AttyDktNo. UOM 0234 PUS 



Amendments to the Claims : 

This listing of claims will replace all prior versions, and listings, of claims in 
the application: 

1. (previously presented) A system for detecting, tracking and blocking 
one or more denial of service attacks over a computer network, the system comprising: 

a collector adapted to receive a plurality of data packet flow statistics from a 
routing system of the computer network and to process the plurality of data packet flow 
statistics to detect one or more data packet flow anomalies and to generate a signal representing 
the one or more data packet flow anomalies; and 

a controller coupled to the collector to receive the signal; 

wherein the controller is constructed and arranged to respond to the signal by 
tracking attributes related to the one or more data packet flow anomalies to at least one source, 
and wherein the controller is constructed and arranged to block the one or more data packet 
flow anomalies. 

2. (previously presented) The system of claim 1, wherein the collector 
includes a buffer coupled to the computer network and being adapted to process the plurality 
of data packet flow statistics to generate at least one record. 

3. (original) The system of claim 2, wherein the collector further includes 
a profiler coupled to the buffer and being adapted to receive and process the record to generate 
a predetermined threshold. 

4. (previously presented) The system of claim 3, wherein the profiler 
includes means for aggregating the data packet flow statistics to obtain a traffic profile of 
network flows. 

5. (previously presented) The system of claim 4, wherein the data packet 
flow statistics are aggregated based on at least one invariant feature of the network flows. 
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6 . (previously presented) The system of claim 4 , wherein data packet flow 
statistics are aggregated based on temporal, static network and dynamic routing parameters. 

7. (original) The system of claim 5, wherein the at least one invariant 
feature includes source and destination endpoints. 

8. (original) The system of claim 3 , wherein the collector further includes 
a detector coupled to the buffer and to the profiler, the collector being adapted to receive and 
process the record and the predetermined threshold to detect if attributes associated with the 
record exceed the predetermined threshold representing the one or more data packet flow 
anomalies. 

9. (original) The system of claim 8, wherein the collector further includes 
a local controller coupled to the detector and to the profiler and being adapted to receive and 
respond to the one or more data packet flow anomalies by generating the signal representing 
the one or more data packet flow anomalies. 

10. (original) The system of claim 9, wherein the detector includes a 
database for storing the at least one record, predetermined threshold, the one or more data 
packet flow anomalies, and related information. 

11. (original) The system of claim 10, wherein the profiler includes a 
database for storing a plurality of data packet flow profiles and related information. 

12. (original) The system of claim 1, wherein the controller includes a 
filtering mechanism for blocking the one or more data packet flow anomalies. 

13. (original) The system of claim 12, wherein the filtering mechanism 
includes a plurality of filter list entries. 
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14. (original) The system of claim 12, wherein the filtering mechanism 
includes a plurality of rate limiting entries. 

15. (original) The system of claim 1, wherein the controller includes a 
correlator coupled to the collector and being adapted to receive and normalize the plurality of 
signals representing the one or more data packet flow anomalies and to generate an anomaly 
table including the attributes related to the one or more data packet flow anomalies. 

16. (original) The system of claim 15, wherein the correlator includes a 
database for storing the anomaly table. 

17. (original) The system of claim 16, wherein the correlator further 
includes an adapter that is constructed and arranged to communicate the anomaly table to a 
computing device for further processing. 

18. (previously presented) The system of claim 16, wherein the controller 
further includes: 

a web server; and 

access scripts that cooperate with the web server to enable a computing device 
to access the database defined on the controller to view the anomaly table. 

19. (currently amended) A system comprising: 
at least one routing system; 

a plurality of computer systems coupled to the routing system; and 
means for detecting one or more denial of service attacks communicated to the 
plurality of computer systems over the at least one routing system based on a plurality of data 
packet flow statistics from the at least one routing syste m wherein the means for detecting 
includes a means for generating a plurality of signals representing one or more data packet 
flow anomalies: and 
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a means for tracking one or more denial of service attacks communicated to the 
plurality of computer systems over the at least one routing system wherein the means for 
tracking includes a means for receiving and responding to the plurality of signals bv tracking 
attributes related to the one or more data packet flow anomalies back to at least one source of 
the attack . 

20. (cancel) 

21. (currently amended) The system of claim 19 [[20]], further including 
a means for blocking the one or more denial of service attacks communicated to the plurality 
of computer systems over the at least one routing system. 

22. (previously presented) The system of claim 21 , wherein the means for 
detecting includes a means for collecting a the plurality of data packet flow statistics from the 
at least one routing system. 

23. (previously presented) The system of claim 22, wherein the means for 
detecting further includes a means for processing the plurality of data packet flow statistics to 
detect one or more data packet flow anomalies . 

24. (cancel) 

25. (cancel) 

26. (original) The system of claim 19, further including a means for 
communicating the one or more denial of service attacks to a computing device for further 
processing. 
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27. (previously presented) A method for detecting, tracking and blocking 
one or more denial of service attacks over a computer network, the system comprising the 
steps of: 

collecting a plurality of data packet flow statistics from a routing system of the 
computer network; 

processing the plurality of data packet flow statistics to detect one or more data 
packet flow anomalies; 

generating a plurality of signals representing the one or more data packet flow 
anomalies; and 

receiving and responding to the plurality of signals by tracking attributes related 
to the one or more data packet flow anomalies to at least one source. 

28. (original) The method of claim 27, further including the step of blocking 
the one or more data packet flow anomalies in close proximity to the at least one source. 

29. (previously presented) The method of claim 28, wherein the step of 
collecting the plurality of data statistics includes: 

buffering the plurality of data packet flow statistics; 

processing the plurality of data packet flow statistics to generate at least one 

record; and 

receiving and profiling the at least one record to generate a predetermined 

threshold. 

30. (previously presented) The method of claim 29, wherein the step of 
collecting the plurality of data packet flow statistics farther includes; 

detecting if attributes related to the at least one record exceed the predetermined 
threshold representing the one or more data packet flow anomalies. 

31. (previously presented) The method of claim 30, wherein the step of 
collecting the plurality of data packet flow statistics further includes: responding locally to the 
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one or more data packet flow anomalies by generating the plurality of signals representing the 
one or more data packet flow anomalies. 

32. (original) The method of claim 27, wherein the step of receiving and 
responding to the plurality of signals includes: 

correlating the plurality of signals representing the one or more data packet flow 
anomalies; and 

generating an anomaly table including the attributes related to the one or more 
data packet flow anomalies. 

33. (original) The method of claim 32, wherein the step of receiving and 
responding to the plurality of signals further includes the step of communicating the anomaly 
table to a computing device for further processing. 



-7- 



